NIST: National ID is not part of 'identity ecosystem'
New website explains plans for Trusted Identities strategy and counters fears over ID requirements
A new website
has been created by the National Institute of Standards and Technology to explain plans for a National Strategy for Trusted Identities in Cyberspace and to help quell fears that the government is creating a national Internet ID to track online activities.
“NSTIC does not advocate for a required form of identification,” the site’s FAQ says. “Nor will the U.S. government mandate that individuals obtain an Identity Ecosystem credential (i.e., digital identity). . . . This new Identity Ecosystem is meant for sensitive transactions that require authentication and would keep transactions anonymous when a trusted ID is not needed.”
Launching of the site follows last week’s announcement that a national program office for the national strategy will be set up in the Commerce Department. That office has not yet been formally established, but William Barker, chief of the NIST IT Laboratory’s Computer Security Division, has been named acting program manager.
Internet ID system challenge: Balance security and privacy
Commerce Secretary Gary Locke announced the office Friday during a symposium at the Stanford Institute for Economic Policy Research, at which public- and private-sector officials discussed the need for a trusted system to support online transactions. The program office will:
- Promote private sector involvement.
- Build consensus on the necessary legal and policy frameworks to enhance privacy, free expression, and open markets.
- Work with industry to identify new standards or collaboration that might be needed;
- Support and coordinate interagency collaboration.
- Assess progress in meeting the goals, objectives, and milestones of the strategy.
- Promote pilot projects and other implementations.
NSTIC is part of broader effort to improve the nation’s cybersecurity posture and to help ensure the security of the growing online economic sector. During the symposium, White House Cybersecurity Coordinator Howard Schmidt sited $30.8 billion in online spending during the 2010 holiday season, a 13 percent increase over the previous year.
A draft strategy was released in July and the final version is expected to be released within a few months. The strategy does not define the technology to be used, but sets out four guiding principles:
- The identity solutions must be secure and resilient.
- They must be interoperable.
- They will be voluntary.
- They must cost-effective and user-friendly.
“We have a major problem in cyberspace, because when we are online we do not really know if people, businesses, and organizations are who they say they are,” Schmidt wrote in a blog posting about NSTIC last week. “Moreover, we now have to remember dozens of user names and passwords. This multiplicity is so inconvenient that most people re-use their passwords for different accounts, which gives the criminal who compromises their password the ‘keys to the kingdom.’”
Because the identity ecosystem being envisioned would be voluntary and competitive, the cooperation of the private sector will be essential. Companies are expected to develop the credentials needed for the ecosystem, as well as the trust framework that would make them interoperable.
A major challenge in implementing NSTIC will be enabling technology in a way that is scalable and manageable both for end users and organizations. Schemes also must be easily adaptable to transactions requiring different levels of security and assurance. The requirements are to limit the amount of information used in a transaction to only that which is needed to secure that particular transaction, and to retain no more information than is necessary and for no longer than is necessary to ensure the privacy of the user.
There is some public concern that NSTIC is intended to be or will evolve into a national ID, at least for online identities, that could be used to track online activities. Locke addressed that concern in announcing the national program office.
“We are not talking about a national identity card,” he said. “We are not talking about a government system.”
NIST is taking pains on the website to assure that the proposed identity ecosystem would not be a national ID system. “The U.S. government will not mandate that people obtain an Identity Ecosystem credential,” the FAQ says.